When working with the server-side of these applications you can use commercial certificate authorities (such as Verisign, Thawte and others) to obtain Digital Certificated for the SSL connections (see Configure SSL on Your Website with IIS for an example).

Windows Mobile 2003 is already configured with Root Certificates that represent the following certificate authorities:

VeriSign

Cybertrust

Thawte

Entrust

GlobalSign

Equifax

However, in order to save money on Digital Certificates many enterprises might want to use their own, internally configured certificate authorities (one example of such a CA would be the built-in CA in Windows Server 2003 – See Install Windows Server 2003 CA for more info). Although such CAs can issue various certificates for many uses (for example EFS encryption, IPSec, E-Mail encryption and so on), the biggest problem with using internally-issued and non-commercial certificates is the fact that computers outside your organization will not trust these certificates. This is due to the fact that these “outside” computers and devices do not automatically trust the root certificate of the your internal certificate authority, thus any certificate issued by it will be treated as signed by a non-trusted CA.

In Windows-based computers this can be easily fixed by adding the Root Certificate for the internal CA to the Trusted Root Certificates store on the computers. This can be achieved either by manually importing the Root Certificate to each computer, or by using GPOs and Active Directory.

In Windows Mobile-based Pocket PCs you also need to add the Root Certificate to the Trusted Root Certificates store inside the PPC. However, these devices can be configured to temporarily stop checking the validity of the Root Certificate by using the following tool: